Between June and July 2015, the United States Computer Emergency Readiness Team (US-CERT) received reports of multiple, ongoing and likely evolving, email-based phishing campaigns targeting U.S. Government agencies and private sector organizations. This alert provides general and phishing-specific mitigation strategies and countermeasures.

Description

US-CERT is aware of three phishing campaigns targeting U.S. Government agencies and private organizations across multiple sectors. All three campaigns leveraged website links contained in emails; two sites exploited a recent Adobe Flash vulnerability (CVE-2015-5119) while the third involved the download of a compressed (i.e., ZIP) file containing a malicious executable file. Most of the websites involved are legitimate corporate or organizational sites that were compromised and are hosting malicious content.

Impact

Systems infected through targeted phishing campaigns act as an entry point for attackers to spread throughout an organization’s entire enterprise, steal sensitive business or personal information, or disrupt business operations.

Solution

Phishing Mitigation and Response Recommendations

Implement perimeter blocks for known threat indicators:

Email server or email security gateway filters for email indicators

Web proxy and firewall filters for websites or Internet Protocol (IP) addresses linked in the emails or used by related malware

DNS server blocks (blackhole) or redirects (sinkhole) for known related domains and hostnames

Search applicable web proxy, DNS, firewall or IDS logs for activity to any associated command and control (C2) domains or IP addresses associated with the malware.

Review anti-virus (AV) logs for alerts associated with the malware. AV products should be configured to be in quarantine mode. It is important to note that the absence of AV alerts or a clean AV scan should not be taken as conclusive evidence a system is not infected.

Isolate systems to a virtual local area network (VLAN) segmented form the production agency network (e.g., an Internet-only segment)

Report incidents, with as much detail as possible, to the NCCIC.

Educate Your Users

Organizations should remind users that they play a critical role in protecting their organizations form cyber threats. Users should:

Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. Be particularly wary of compressed or ZIP file attachments.

Avoid clicking directly on website links in emails; attempts to verify web addresses independently (e.g., contact your organization’s helpdesk or sear the Internet for the main website of the organization or topic mentioned in the email).